{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2011-03-02T00:00:00", "descriptions": [{"lang": "en", "value": "Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "tomcat-servletsecurity-sec-bypass(65971)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65971"}, {"name": "20110315 [SECURITY] CVE-2011-1088 Apache Tomcat security constraint bypass", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/517013/100/0/threaded"}, {"name": "43684", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/43684"}, {"name": "46685", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/46685"}, {"name": "ADV-2011-0563", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2011/0563"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://tomcat.apache.org/security-7.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1076587"}, {"name": "71027", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/71027"}, {"name": "1025215", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1025215"}, {"name": "[announce] 20110302 [SECURITY] Tomcat 7 ignores @ServletSecurity annotations", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1076586"}, {"name": "[users] 20110302 Re: @DenyAll does nothing", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://markmail.org/message/lzx5273wsgl5pob6"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1077995"}, {"name": "[users] 20110302 Re: @DenyAll does nothing", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://markmail.org/message/yzmyn44f5aetmm2r"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T22:14:27.461Z"}, "title": "CVE Program Container", "references": [{"name": "tomcat-servletsecurity-sec-bypass(65971)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65971"}, {"name": "20110315 [SECURITY] CVE-2011-1088 Apache Tomcat security constraint bypass", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/517013/100/0/threaded"}, {"name": "43684", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/43684"}, {"name": "46685", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/46685"}, {"name": "ADV-2011-0563", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2011/0563"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://tomcat.apache.org/security-7.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1076587"}, {"name": "71027", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/71027"}, {"name": "1025215", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1025215"}, {"name": "[announce] 20110302 [SECURITY] Tomcat 7 ignores @ServletSecurity annotations", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1076586"}, {"name": "[users] 20110302 Re: @DenyAll does nothing", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://markmail.org/message/lzx5273wsgl5pob6"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1077995"}, {"name": "[users] 20110302 Re: @DenyAll does nothing", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://markmail.org/message/yzmyn44f5aetmm2r"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2011-1088", "datePublished": "2011-03-14T19:00:00", "dateReserved": "2011-02-24T00:00:00", "dateUpdated": "2024-08-06T22:14:27.461Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*", "matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application."}, {"lang": "es", "value": "Apache Tomcat v7.x anterior a v7.0.10 no sigue anotaciones ServletSecurity, lo que permite a atacantes remotos evitar las restricciones de acceso a trav\u00e9s de peticiones HTTP a una aplicaci\u00f3n web."}], "id": "CVE-2011-1088", "lastModified": "2023-02-13T04:29:04.103", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2011-03-14T19:55:02.167", "references": [{"source": "secalert@redhat.com", "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E"}, {"source": "secalert@redhat.com", "url": "http://markmail.org/message/lzx5273wsgl5pob6"}, {"source": "secalert@redhat.com", "url": "http://markmail.org/message/yzmyn44f5aetmm2r"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/43684"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1076586"}, {"source": "secalert@redhat.com", "url": "http://svn.apache.org/viewvc?view=revision&revision=1076587"}, {"source": "secalert@redhat.com", "url": "http://svn.apache.org/viewvc?view=revision&revision=1077995"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://tomcat.apache.org/security-7.html"}, {"source": "secalert@redhat.com", "url": "http://www.osvdb.org/71027"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/archive/1/517013/100/0/threaded"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/46685"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id?1025215"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2011/0563"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65971"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "tomcat: various flaws due not following ServletSecurity annotations", "id": "708955", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=708955"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "draft"}, "details": ["Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application."], "name": "CVE-2011-1088", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "tomcat5", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2011-03-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2011-1088\nhttps://nvd.nist.gov/vuln/detail/CVE-2011-1088"], "statement": "Not vulnerable. This issue did not affect the versions of Apache Tomcat 5 as shipped with Red Hat Enterprise Linux 5, Red Hat Developer Suite 3,\nRed Hat Certificate System 7.3, Red Hat Network Satellite 5.3.0 and earlier versions and JBoss Enterprise Web Server 1.0. It did not affect the versions of Apache Tomcat 6 as shipped with Red Hat Enterprise Linux 6 and JBoss Enterprise Web Server 1.0. It also did not affect the versions of jbossweb as shipped with JBoss Enterprise Application Platform 4.3.0 and earlier versions, as this flaw only affects Apache Tomcat 7.0.0 to 7.0.10.", "threat_severity": "Moderate"}